A newly discovered piece of Linux malware, named Koske, is raising eyebrows in the security community. Not only is it a capable cryptominer, but it appears to be almost entirely AI-generated, both in how it’s written and how it behaves. Designed to assess the infected system’s capabilities, Koske runs miners for any of 18 different cryptocurrencies, including Monero and Ravencoin.
What sets Koske apart is its structure and sophistication. Security researchers who analysed it found that the code included AI-style comments and highly efficient logic that rivalled, or even surpassed, many human-developed malware strains. This suggests attackers are now using AI to generate production-ready malware faster, with fewer errors, and with features previously seen only in advanced threats.
Koske has been observed targeting misconfigured, internet-facing services, such as open JupyterLab instances. But it’s the method of delivery that stands out: the malware is hidden within seemingly harmless AI-generated images of pandas. These aren’t used to trick the user directly, rather, the malware is appended to the end of the JPEG to form a polyglot file. It’s designed to evade detection by tools that might ignore image files when scanning for malicious code.
The level of planning involved in this infection method suggests AI may have been used to design the entire attack chain, not just the payload. From evasion to execution, it’s alarmingly clean with none of the sloppy mistakes usually seen in human-written malware.
Once installed, Koske takes extensive measures to maintain persistence and stay hidden. It deploys a rootkit, schedules cron jobs, and modifies system files to survive reboots. But most impressively, it shows a level of autonomy in maintaining connectivity with its command-and-control (C2) infrastructure.
If contact with its C2 server is disrupted, Koske doesn’t wait for human intervention. It troubleshoots itself, resetting proxy settings, erasing firewall rules, and even crawling the web to brute-force new proxy connections until one works. This self-repairing capability is rare and points to how AI lowers the technical barrier to building highly resilient malware.
Koske isn’t just a warning about crypto-mining malware, it’s a signal of how AI is transforming the threat landscape. Malware authors no longer need to be highly skilled coders to develop sophisticated, evasive, and persistent threats. With AI tools at their fingertips, attackers can iterate and refine malicious code in hours rather than weeks.
For IT teams, this means traditional detection methods may no longer be enough. Behaviour-based monitoring, automated response systems, and AI-driven threat hunting are becoming essential. And for businesses, especially those running Linux infrastructure or cloud environments, it’s a strong reminder to review configurations, restrict exposure, and harden defences before threats like Koske hit closer to home.